Discussion in 'Article Discussion' started by Gareth Halfacree, 19 Nov 2014.
Free certificates for all.
It's depressing that we are being forced to use encryption and other measures to keep our private lives private, and all because governments seem intent on snooping on their citizens and censoring perfectly legal material.
A good start but it still requires that any site storing personal details makes the effort to encrypt that data and try and secure it.
Agreed, but they (the security services) are not going to stop and we have the right to try and protect our personal data, regardless of the usual rhetoric the SS's like to quote and considering that they can and do whatever they want to get our data.
This classic article in the Guardian shows the mindset of the SS's and their reasoning.
With more data being encrypted in various ways the SS's might try and intimidate people that encrypt their data by prosecuting more people for failing to disclose an encryption key, an offense that people in the UK have been jailed for, the SS's really don't want the problem of dealing with encryption and it wouldn't be surprising to see it made illegal along with VPN's and other concealment methods and that would be exactly what the SS's want because then anyone using any method of concealment would be breaking the law and give them all the reasons they need to justify them spying on us.
Stupid they ain't!
I can tell you 100% that that will never happen. Encryption is used in everything from protecting businesses data to concealing your credit cards details. I sell encryption to some of the biggest businesses in the EU and the only direction encryption sales are going are up
HTTPS can't be made illegal, which this article refers to, because if they did they would kill all commercial and a lot of non-commercial use of the Internet.
While it is true that they can't just issue a blanket ban on VPNs and encryption in general they can easily legislate against everyone being able to use them.
Lets just call it encryption neutrality, along with net neutrality it should theoretically be an unquestionable principle of a free society.
However that may well not stop things taking a change for the worse.
It is not unlikely that both traffic priority and encryption legality will become fully dependent on who is buddies with the government and or pays enough.
I'm referring to personal encryption methods not businesses, but if the security services do want access to business data they will get it, one way or another, they have already shown that by their intimidation of the telecoms companies.
You really think that company bosses will go to jail rather than comply with court orders and the security services, not a chance, the SS's can ruin your life if they want to, they don't play by the rules as we well know.
You might also want to read this, we now know that there are backdoors to many encryption methods and the SS's have access to them, but we also now know that the NSA have been working with tech companies for years and they could get access to anything if they want it.
the "access" you are referring to is when people do not protect the encryption keys correctly or even at all.
Most people when they set up a VPN (or any other encryption) leave the key on the server/gateway which is how the NSA etc can gain access. If you put the keys in a HSM then there is no "back door" access and only the authorized people with access to the HSM can access the key.
Its all about setting encryption up correctly
But none of that matters, it's an offense in the UK and I believe the USA, to refuse to hand over encryption keys so even if the security services can't access the data they can still pressure people by threatening jail for non compliance, VPN services are also a waste of money as there is not one single VPN service that won't comply if they have to and despite what they say they all log and keep records and will hand it over also some ISP's will not allow the use of VPN's so even if they are not made illegal they could not be used.
Hide my Ass VPN couldn't hand over details of LulzSec hackers quick enough when asked, sure LulzSec might have been up to no good but it shows that VPN services are pointless if they will comply with a court order.
To be fair the "intimidation" of telecoms companies is no such thing, IDK the legality or how it works outside the UK, but the UK government have laws that state telecoms companies must allow the state access to their networks, IIRC it was part of the DRIP bill that got rushed through parliament this year.
So it's not "intimidation" of telecoms companies, it's just telecoms companies complying with the law.
It matters very much because at least the company will know the security services need the data and they must have a valid reason - they cant just demand access for fun. The NSA problem was that this was being done without the consent of owners.
If you control the keys you control the access to YOUR data and any request from the police, intelligence services etc must go through you instead of around you. I know a company cant refuse to grant access indefinitely and they must comply fully with the law but better to control the situation than be unaware.
The tactics of snitch my ass are indeed shockingly common...
Have a read through some of the topics here and weep:
If the leaked Snowden documents are to be believed then you having control over the keys means very little...
It doesn't stop there...
Probably the only way to know for sure that your encryption method hasn't been compromised is to write it yourself.
this is because people leave keys on unsecured servers. Hack the firewall and gain access to the sever which has the key in SOFTWARE ! and bang you are in.
If you use an HSM i.e. a hardware black box then getting passed the perimeter is irrelevant you will still not have access to the keys allowing you to hack the VPN/encryption etc the keys NEVER leave the HSM and can only be acess via PIN entry device which can be local ONLY if you wish. therefore unless the NSA are onsite at your office they aren't getting anthing
But if the software/hardware you used to encrypt your data has a backdoor they wouldn't need to bother getting your key, no ?
On the website side of things using Perfect Forward Secrecy resolves the issue of key compromise when it comes to historical communication. I don't know if VPNs support something similar.
the encryption is hardware based and the key never leaves the box so it cannot be leaked.
there seem to have a variety of methods but many involve obtaining the cryptographics key which is extremely difficult to brute force. Much easier to obtain the master key and simply decrypt the info and read it
Again, I'm referring to personal data on a personal PC not a company, I appreciate it's a different matter when dealing with a company rather than one person.
Agreed, Intimidation was not the correct word, but the telecoms, for some reason, seemed very enthusiastic to apparently do more than 'Simply complying with the law of their country'.
Now i have read up on what they meant when they said "numerous telecoms companies were doing much more than that" i understand what they mean (i think).
AFAIK RIPA (Regulation of Investigatory Powers Act) stated that telecoms companies had to provide intercept capabilities for UK based companies/equipment, non UK based equipment/communications were legally exempt, it seems the telecoms companies went the extra mile and provided intercept capabilities overseas even though the law didn't compel them to do so (at that time).
Luckily when parliament rushed through the DRIP bill (Data Retention and Investigatory Powers) that predicament was solved, DRIP contains a section to cover overseas telecommunications service.
At least now telecoms companies can claim they truly are just complying with the law.
Separate names with a comma.